https://krebsonsecurity.com/2022/04/raidforums-get-raided-alleged-admin-arrested/ Advertisement [9] Advertisement [14] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking RaidForums Gets Raided, Alleged Admin Arrested April 12, 2022 5 Comments The U.S. Department of Justice (DOJ) said today it seized the website and user database for RaidForums, an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world's largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums -- 21-year-old Diogo Santos Coelho, of Portugal -- with six criminal counts, including conspiracy, access device fraud and aggravated identity theft. [raidforums-seized] The "raid" in RaidForums is a nod to the community's humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. According to the DOJ, that early activity included 'raiding' -- posting or sending an overwhelming volume of contact to a victim's online communications medium -- and 'swatting,' the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response." But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares. Perhaps the most bustling marketplace within RaidForums was its "Leaks Market," which described itself as a place to buy, sell, and trade hacked databases and leaks. The government alleges Coelho and his forum administrator identity " Omnipotent" profited from the illicit activity on the platform by charging "escalating prices for membership tiers that offered greater access and features, including a top-tier 'God' membership status." "RaidForums also sold 'credits' that provided members access to privileged areas of the website and enabled members to 'unlock' and download stolen financial information, means of identification, and data from compromised databases, among other items," the DOJ said in a written statement. "Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts." Prosecutors say Coelho also personally sold stolen data on the platform, and that Omnipotent directly facilitated illicit transactions by operating a fee-based "Official Middleman" service, a kind of escrow or insurance service that denizens of RaidForums were encouraged to use when transacting with other criminals. Investigators described multiple instances wherein undercover federal agents or confidential informants used Omnipotent's escrow service to purchase huge tranches of data from one of Coelho's alternate user identities -- meaning Coelho not only sold data he'd personally hacked but also further profited by insisting the transactions were handled through his own middleman service. Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States. On Aug. 11, 2021, an individual using the moniker "SubVirt" posted on RaidForums an offer to sell Social Security numbers, dates of birth and other records on more than 120 million people in the United States (SubVirt would later edit the sales thread to say 30 million records). Just days later, T-Mobile would acknowledge a data breach affecting 40 million current, former or prospective customers who applied for credit with the company. The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. "However, it appears the co-conspirators continued to attempt to sell the databases after the third-party's purchase," the affidavit alleges. The FBI's seizure of RaidForums was first reported by KrebsOnSecurity on Mar. 23, after a federal investigator confirmed rumors that the FBI had been secretly operating the RaidForums website for weeks. Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent. "In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent," the government's affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site's primary domain was seized. The DOJ said Coelho was arrested in the United Kingdom on January 31, at the United States' request, and remains in custody pending the resolution of his extradition hearing. A statement from the U.K.'s National Crime Agency (NCA) said the RaidForums takedown was the result of "Operation Tourniquet," an investigation carried out by the NCA in cooperation with the United States, Europol and four other countries that resulted in "a number of linked arrests." A copy of the indictment against Coelho is available here (PDF). This entry was posted on Tuesday 12th of April 2022 01:29 PM A Little Sunshine Ne'er-Do-Well News Web Fraud 2.0 Diogo Santos Coelho Europol fbi National Crime Agency Omnipotent Operation Tourniquet RaidForums seizure SubVirt T-Mobile breach U.S. Department of Justice unrivaled@pm.me Post navigation - Double-Your-Crypto Scams Share Crypto Scam Host 5 thoughts on "RaidForums Gets Raided, Alleged Admin Arrested" 1. Seller13 April 12, 2022 Please delete this post as this means I am in big trouble. Reply - 2. VINCENZO TROIA April 12, 2022 LOOOOOOOOOL. RIP VINCENZO TROIA Reply - 3. Mike D April 12, 2022 "However, it appears the co-conspirators continued to attempt to sell the databases after the third-party's purchase" You don't say... Reply - 4. Joe Guy April 12, 2022 Sharpest knife in the drawer, this one. Reply - 5. The Sunshine State April 12, 2022 https://www.bleepingcomputer.com/news/security/ raidforums-hacking-forum-seized-by-police-owner-arrested/ Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [16] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * RaidForums Gets Raided, Alleged Admin Arrested * Double-Your-Crypto Scams Share Crypto Scam Host * Actions Target Russian Govt. Botnet, Hydra Dark Market * The Original APT: Advanced Persistent Teenagers * Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security